Today’s CEOs are on the hook like never before. Their company data is under attack, and IT directors are no longer the only employees held accountable for security breaches.
In September, consumer credit reporting agency Equifax chief executive Richard Smith retired after a series of security and public relations disasters in which the company lost personal information for more than 140 million people.
And he's no alone. In recent years, Austrian aerospace parts maker FACC’s CEO was fired after a hack cost the company $47 million. Former Sony CEO Amu Pascal admitted she was fired as a result of a breach. And the CEOs of both Target and Home Depot, along with several board members, were no longer in their positions within months of major security breaches at their companies.
This top level of security accountability is a shift in business culture, but why? Because reputation matters.
While a security attack can have an impact on a business’ bottom line, the financial loss is nothing new. But the consumer’s awareness of the potential damage (identity theft, payment info theft, healthcare info, etc) caused by a breach is growing, and with it a direct impact on an organization’s reputation. All eyes are then beating down on top leadership because they hold the highest level of responsibility to their customers.
One study reports that the cost of lost business from data breaches in 2014 was 3.2 million. Those costs include a higher than average loss of customers for the industry; increased customer acquisition activities; reputation losses and diminished goodwill.
Turnover of customers after data breaches may be the main driver in breach cost, the study suggests. The average abnormal consumer churn rate between 2013 and 2014 increased 15 percent.
And according to one Information Security Breach survey, “When asked what made a particular (security) incident the worst, 16 out of the 39 organizations who responded cited that it was the damage to their reputation which had the greatest impact.” That is an increase to 41 percent of respondents being concerned about reputation from the 30 percent the previous year.
If the breach itself wasn’t damaging enough, legislatures and law enforcement are increasingly holding organizations responsible for stolen consumer information – all within the public eye.
In congressional hearings, the people in the hot seat are often board members and top executives, as was the case for the recent OPM and FDIC breach investigations. The FBI is tasked with identifying who is ultimately responsible within an organization for protecting consumer info. The courts are taking the approach that implementing security measures can be delegated, but the responsibility and authority for ensuring consumer data is protected remains on top-level management.
The Bottom Line
Chief executives and board members must make protecting their customer data a top priority because the consumer is done with lazy, passive security. They expect business leaders to create a robust culture of security within their organizations, starting at the top.
Next Step: Get a free download of 'The Ultimate Guide to Data Security.' You'll learn step-by step strategies for protecting your company.